Someon has been attempting to log into my account all day.

[ZohnoReecho]

sadly, with this game, it does jackall. It can be bypassed.

Don't spread false info please. People are dumb enough for not using one (who can). Now we just need to promote the non use of the token.

[Jwrigh7784]

Don't spread false info please. People are dumb enough for not using one (who can). Now we just need to promote the non use of the token.

Actually, the authenticator can be bypassed. Someone pointed out a massive security flaw that bypasses the launcher and lets anyone log into any account and all they need is the session ID which is surprisingly easy to obtain. I have personally witnessed this and am shocked at such a security flaw.

[whoopeeragon]

Actually, the authenticator can be bypassed. Someone pointed out a massive security flaw that bypasses the launcher and lets anyone log into any account and all they need is the session ID which is surprisingly easy to obtain. I have personally witnessed this and am shocked at such a security flaw.

Apparently, they have fixed it to be IP-locked now? I don't know the specifics, but people have been reporting that when they log in from a different IP, their account gets locked until they confirm it through email etc. Similar to how things worked in 1.0. For people with dynamic IPs, maybe it will be a hassle, but I think it's a welcome change. I'm not sure how this will affect session IDs, but nonetheless, it will make logins from external areas a bit harder.

[ZohnoReecho]

Actually, the authenticator can be bypassed. Someone pointed out a massive security flaw that bypasses the launcher and lets anyone log into any account and all they need is the session ID which is surprisingly easy to obtain. I have personally witnessed this and am shocked at such a security flaw.

If you have something that can read that session from the process believe me that nothing can stop it from redirecting the game login page to a fake one and steal the data you insert.

Just because it can be bypassed doesn't mean you don't have to do the best to protect yourself.

It's as if I wouldn't wear a bulletproof vest because they can shot me in the head anyway.

[DragonFlyy]

The session IDs are now being made invalid when you log off. What you are seeing is an interruption in service. If someone tried to log into your account while you are on, they get the error that someone is already logged in, it doesn't boot you out.

[necrosis]

Apparently, they have fixed it to be IP-locked now? I don't know the specifics, but people have been reporting that when they log in from a different IP, their account gets locked until they confirm it through email etc. Similar to how things worked in 1.0. For people with dynamic IPs, maybe it will be a hassle, but I think it's a welcome change. I'm not sure how this will affect session IDs, but nonetheless, it will make logins from external areas a bit harder.

No the IP check is because they do not have a OTP attached to the account. SE has done this for a rather long time even going back to FFXI.

[Mordermi]

Is this what is happening? http://na.finalfantasyxiv.com/lodest...1cbefd7134829f

[Kosmos992k]

Hackers are using randomized session IDs to connect with the servers! Oh noes!


I also got authentication error twice since last night. Either they changed something or the hackers really are doing mass brute force...

They changed something, the chances of brute forcing a significant number of session IDs are about as high as the Sun going nova, today. It doesn't have a high enough success rate to make sense to any hacker, not to mention that it gives SE an opportunity to trace them more effectively and IP ban their sorry rear ends.

[Quesse]

Actually, the authenticator can be bypassed. Someone pointed out a massive security flaw that bypasses the launcher and lets anyone log into any account and all they need is the session ID which is surprisingly easy to obtain. I have personally witnessed this and am shocked at such a security flaw.

Sure if your computer is hacked.

So basically if you hack someones computer, the session id becomes 'Easy to obtain'. Shocking.